Down the DNS Funnel and into the Funnull Infrastructure

The Federal Bureau of Investigation (FBI) issued a FLASH report to disseminate indicators of compromise (IoCs) related to Funnull.¹ Threat actors used them to manage cryptocurrency investment fraud scams between October 2023 and April 2025. The report provided links to two lists.^{2, 3}

WhoisXML API analyzed the threat in two parts. First, we looked at the 277,779 domains using several of our tools, which allowed us to gather these findings:

• 176,656 root domains extracted from the FBI’s IoC lists
• 101,123 net new typosquatting domains uncovered
• 82,261 out of the 277,779 domains dubbed “likely to turn malicious” as soon as they were created
• Sample DNS traffic data from the IASC collected for the 277,779 domains recorded 22,772 unique client IP addresses querying 1,062 distinct domains between May 6 and June 4 2025 through 189,640 DNS requests

Our findings for the second part jumping off the 101,123 net new typosquatting domains, along with the 44,834 FBI domains these were derived from, meanwhile, led to these findings:

• Hong Kong was the top geolocation country of the resolving IP addresses while the top ISP varied for the IPs of the net new typosquatting domains versus FBI domains.
• The U.S. was the top current registrant country while 146 was their top IANA ID.
• The U.S. was the top historical registrant country (i.e., when the domains were first created) while the top historical IANA ID varied for the net new typosquatting domains versus FBI domains.

Download a sample of the threat research materials now or contact sales to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

—

• [1] https://www.ic3.gov/CSA/2025/250529.pdf
• [2] https://www.ic3.gov/CSA/2025/Funnull_Technology_Inc_Associated_CNAMEs.xlsx
• [3] https://www.ic3.gov/CSA/2025/Complete_List_of_Domains_Attributed_to_Funnull.zip